This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 659297 - (CVE-2010-4252) CVE-2010-4252 openssl: session key retrieval flaw in J-PAKE implementation
CVE-2010-4252 openssl: session key retrieval flaw in J-PAKE implementation
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
Unspecified Unspecified
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,source=openssl,repor...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-12-02 08:01 EST by Tomas Hoger
Modified: 2013-03-12 12:49 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-02 08:06:18 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Reproducer (6.15 KB, patch)
2010-12-02 08:04 EST, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2010-12-02 08:01:16 EST
Sébastien Martini discovered a flaw in the OpenSSL's implementation of the J-PAKE authentication protocol.  OpenSSL preformed insufficient validation of the public parameters received from the untrusted party, which could use this flaw to make J-PAKE protocol generate predictable session key.  Hence an attacker could use this implementation flaw to successfully authenticate (i.e. prove knowledge of the shared secret) to the peer, usually server.

Sébastien Martini paper describing this flaw, as well as proof of concept code can be found in the following github repository:
  https://github.com/seb-m/jpake

OpenSSL upstream fix for the issue, which should be included in version 0.9.8q and 1.0.0c:
  http://cvs.openssl.org/chngview?cn=20098

Note: J-PAKE implementation is considered experimental upstream and is not enabled by default.
Comment 1 Tomas Hoger 2010-12-02 08:04:41 EST
Created attachment 464242 [details]
Reproducer

Sébastien Martini reproducer.

Source: https://github.com/seb-m/jpake/tree/master/openssl-jpake/

Git repository provides couple of files that should replace original files in openssl 1.0.0a that are needed to build modified client exploiting this flaw.  This attachment contains a diff between vanilla 1.0.0a and 1.0.0a with Sébastien's modifications applied.
Comment 2 Tomas Hoger 2010-12-02 08:06:18 EST
(In reply to comment #0)
> Note: J-PAKE implementation is considered experimental upstream and is not
> enabled by default.

J-PAKE is not enabled in Red Hat Enterprise Linux and Fedora OpenSSL packages either.

Statement:

Not vulnerable. This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 4, 5, or 6.
Comment 3 Tomas Hoger 2010-12-02 08:10:20 EST
Same flaws was reported for OpenSSH J-PAKE implementation too and fixed in:

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/jpake.c#rev1.5

As with OpenSSL, OpenSSH code is experimental and not enabled by default or in RHEL / Fedora builds.
Comment 4 Tomas Hoger 2010-12-02 15:10:56 EST
(In reply to comment #0)
> OpenSSL upstream fix for the issue, which should be included in version 0.9.8q
> and 1.0.0c:
>   http://cvs.openssl.org/chngview?cn=20098

Upstream security advisory:
  http://openssl.org/news/secadv_20101202.txt

Note You need to log in before you can comment on or make changes to this bug.